I have a query which is frankly stumping me at the moment.
A customer has a couple of web servers on their internal network. They need to provide access from external hosts to these servers on port 443. They have an ASA5510 which has static NAT to translate the inbound destination IP from an external address to the real internal address of the servers. This all works fine as proved with 'capture'. I can see inbound packets being translated and squirted out the inside interface to the servers, via an internal L3 switch.
However, the ASA is NOT the default gateway of the internal L3 switch, so responses from the servers hit their default gw (the L3 switch) which for obvious reasons doesn't have a seperate route for every single internet host, so the L3 switch forwards the response to it's default gw which is a different firewall (not the ASA the request came in on).
So the problem is the client never sees the response from the server.
Without changing the default gw of the L3 switch, I believe the only way around this problem is to get the ASA to translate the inbound SOURCE IP address as well as the destination, so that the L3 switch can forward the responses from the server back to the ASA correctly.
However I'm unsure on how this should be configured.
Thanks in advance for any suggestions!